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January  14,  1997 


Mr.  Harry  Koch 
ESC/ENS 

5  Eglin  Street,  Building  1704 
Hanscom  Airforce  Base,  MA  01731-2116 

Dear  Mr.  Koch: 

This  letter  contains  our  R  &  D  Status  Report  covering  the  period  from  October  1, 1996  to  December. 
31,  1996  for  Contract  F19628-95-C-0118,  entitled  “Applications  of  the  Theory  of  Distributed  and 
Real-Time  Systems  to  the  Development  of  Large-Scale  Timing-Based  Systems”. 

Technical  Progress 

In  the  following  report,  more  information  about  the  people  mentioned  can  be  found  on  our  group’s 
“people”  page,  at  URL  http://theory.lcs.mit.edu/tds/people.html. 

I.  Modelling  and  verification  tools 


•  Garland  and  Lynch  now  have  completed  a  tentative  design  of  a  programming  language  for  I/O 
automata,  which  they  are  now  calling  “IOA”.  This  language  allows  simple  abstract  description 
of  distributed  systems,  in  order  to  aid  in  system  development,  testing  and  verification.  A 
parser  for  the  language  was  completed  prior  to  this  reporting  period.  During  this  quarter,  two 
graduate  students,  Vaziri  and  Yang,  joined  this  project.  Vaziri  has  been  working  on  a  language 
manual.  Yang  has  begun  working  on  portions  of  the  static  semantic  checker  related  to  the  I/O 
automaton  model,  while  Garland  has  been  working  on  portions  involving  the  Larch  theorem 
prover.  Garland  and  Lynch  have  begun  discussions  with  others  (Vaandrager,  Heitmeyer), 
with  the  idea  of  linking  our  language  with  various  existing  verification  and  simulation  tools. 

•  Jensen  and  Vaziri  have  been  examining  and  developing  techniques  for  the  integration  of  model 
checking  and  theorem  proving  methods  for  verification  of  concurrent  systems.  Specifically, 
they  have  been  studying  the  feasibility  of  abstracting  from  an  infinite-state  system  to  a  finite- 
state  system.  They  have  developed  a  property-preserving  abstraction  theorem  for  the  I/O 
automaton  framework.  They  are  currently  examining  uses  of  this  theorem  in  the  verification 
of  concurrent  read/write  and  mutual  exclusion  algorithms. 

•  Segala,  with  some  help  from  Lynch,  has  rewritten  the  paper  “Liveness  in  Timed  and  Untimed 
Systems” ,  by  Segala,  Gawlick,  Sogaard- Andersen  and  Lynch,  for  journal  submission.  This 
paper  presents  a  compositional  treatment  of  liveness  properties  for  both  untimed  and  timed 
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distributed  systems.  During  this  reporting  period,  the  main  proofs  were  substantially  simpli¬ 
fied  and  shortened,  using  insights  derived  from  Segala  and  Lynch’s  recent  work  on  modelling 
hybrid  systems.  The  paper  still  needs  a  small  amount  of  cosmetic  work,  but  is  basically  done. 

•  De  Prisco  developed  a  new  “Clock  Timed  Automaton”  model.  It  provides  a  systematic  way 
of  describing  timing-based  systems  in  which  there  is  a  notion  of  “normal”  timing  behavior, 
but  that  do  not  necessarily  always  exhibit  this  “normal”  behavior.  This  model  is  intended 
to  be  used  for  stating  and  proving  performance  and  fault-tolerance  properties  for  practical 
systems.  In  particular,  it  is  useful  for  properties  that  hold  when  the  system  stabilizes  to  a 
situation  in  which  timing  behavior  is  normal  and  no  additional  failures  occur.  Examples  of 
this  sort  of  analysis  appear  in  items  III.A3  and  III.A4  below. 

•  Hoest  and  Shavit  have  developed  a  novel  mathematical  model  for  evaluating  the  complexity 
of  algorithms  in  an  asynchronous  setting.  This  model,  which  is  a  continuation  of  Shavit’s 
computability  modelling  work,  is  based  on  the  use  of  tools  from  algebraic  topology.  They  are 
now  writing  an  article  to  be  submitted  to  a  conference  shortly. 


II.  Algorithms  and  impossibility  results 

•  In  the  previous  reporting  period,  Della  Libera  and  Shavit  completed  their  work  on  reactive 
diffracting  trees,  a  new  version  of  the  diffracting  tree  synchronization  primitive  that  grows 
and  shrinks  according  to  the  load  on  the  data  structure.  During  this  quarter,  they  worked 
on  preparing  a  conference  version  of  the  results. 

•  Shavit  and  Zemach  continued  their  work  on  a  highly  concurrent  priority  queue  design  based 
on  their  earlier  “combining  forest”  data  structure.  They  also  began  work  on  a  linearizable 
stack  structure.  They  continued  to  perform  empirical  evaluations  of  the  designs  using  the 
Proteus  simulator.  Shavit  and  Zemach  also  completed  their  work  with  Upfal  of  IBM  Almaden 
on  a  journal  version  of  their  SPAA  96  paper  providing  a  mathematical  model  for  analyzing 
diffracting  tree  performance,  and  submitted  it  for  publication.  Finally,  Shavit  and  Zemach 
completed  their  design  of  a  new  “wait-free”  sorting  algorithm  -  one  that  takes,  on  average, 
logarithmic  parallel  time  and  runs  (though  slightly  less  effectively)  even  if  all  processes  but 
one  fail. 

•  Shavit  and  Shvartsman  started  working  on  the  journal  version  of  their  paper  with  Lynch  and 
Touitou.  The  paper  deals  with  linearizability  of  counting  networks  and  includes  an  extended 
empirical  analysis.  A  preliminary  version  of  these  results  appeared  in  PODC96. 

•  Shvartsman  revised  the  manuscript,  A  Theory  of  Fault- Tolerant  Parallel  Computation.  This 
monograph  synthesizes  the  latest  results  for  parallel  computation  in  the  presence  of  failures, 
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restarts  and  delays.  The  publication  date  by  Kluwer  Academic  has  been  set  for  February, 
1997. 


III.  Applications 

A.  Distributed  system  building  blocks 


•  Shvartsman  and  Oleg  Cheiner,  an  M.Eng.  student,  continued  experimentation  using  a  proto¬ 
type  distributed  algorithm  based  on  the  eventually  serializable  data  service  of  Fekete,  Gupta, 
Luchangco,  Lynch  and  Shvartsman,  presented  in  PODC  96.  Early  results  using  a  LAN-based 
message-passing  implementation  suggest  that  even  when  operations  are  not  required  to  be 
serialized,  the  proportion  of  operations  that  yield  results  inconsistent  with  the  eventual  order 
is  very  small.  Cheiner  completed  and  submitted  his  M.Eng.  proposal. 

•  Lynch  and  Shvartsman  completed  their  paper  defining  a  new  reconfigurable  quorum-based 
broadcast-convergecast  communication  primitive.  They  used  the  primitive  to  obtain  new 
fault-tolerant  distributed  implementations  of  serializable  shared  read/write  memory.  The 
paper  was  submitted  to  FTCS  97  under  the  title  “Robust  Emulation  of  Shared  Memory 
Using  Dynamic  Quorum- Acknowledged  Broadcasts” . 

•  Fekete,  Lynch  and  Shvartsman  are  completing  a  conference  version  of  their  paper  on  group 
communication  services.  They  have  developed  automaton-based  specifications  for  group  com¬ 
munication  primitives  such  as  those  used  in  the  Isis,  Transis,  Horus  and  Psynch  systems.  In 
particular,  they  have  developed  specifications  for  a  virtually  synchronous  group  communi¬ 
cation  (VSGC)  service  and  for  a  totally  ordered  broadcast  service.  They  have  modelled  an 
algorithm,  derived  from  one  of  Dolev  and  his  students,  that  uses  VSGC  to  implement  to¬ 
tally  ordered  broadcast.  They  have  a  good  outline  of  an  assertional  correctness  proof  for  this 
algorithm,  plus  specifications  and  proofs  giving  performance  and  fault-tolerance  properties. 
The  performance  and  fault-tolerance  analysis  is  a  “stabilized”  analysis  of  the  sort  discussed 
in  item  14  above.  This  work  is  being  prepared  for  a  conference  submission. 

Also,  working  with  Khazan,  Lynch  and  Shvartsman  have  begun  modelling  a  load  balancing 
algorithm  that  also  uses  VSGC. 

•  De  Prisco  has  continued  his  work  on  modelling,  improving  and  verifying  the  Paxos  algorithm. 
Work  done  this  quarter  was  devoted  to  finishing  the  timing  model  (see  item  14  above),  and 
completing  the  performance  analysis.  The  result  of  the  work  will  be  presented  in  De  Prisco’s 
M.S.  thesis  which  is  scheduled  to  be  completed  at  the  end  of  January. 

•  Luchangco  is  continuing  research  on  modelling  distributed  memory,  trying  to  understand 
models  that  have  been  proposed  by  both  theoreticians  (e.g.,  causal  memory,  pipelined  RAM) 
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and  architects  (e.g.,  Alpha,  PowerPC),  demonstrate  the  relationships  amongst  them,  and 
distill  the  key  ideas.  He  is  also  developing  a  general  framework  for  analyzing  precedence-based 
memory  models,  which  are  generalizations  of  standard  multi-processor  memory  models,  and 
demonstrating  how  this  framework  can  be  used  to  prove  theorems  about  the  various  models 
and  their  implementations. 

B.  Transit 


•  Livadas  continued  his  work  on  the  use  of  Hybrid  I/O  Automata  to  model  vehicle  protection 
subsystems,  as  used  in  the  Raytheon  Personal  Rapid  Transit  project.  His  model  allows  simple 
composition  of  protectors  that  require  correct  operation  of  each  other.  The  correctness  proofs 
are  nearly  complete  for  protectors  preventing  overspeed  and  collisions  both  for  the  case  of 
a  single  straight  track  and  the  case  of  a  track  comprised  of  Y  shaped  merges  and  diverges. 
Livadas  hopes  to  finish  his  M.S.  thesis  by  the  end  of  January. 

•  Dolginova  and  Lynch  continued  their  work  on  modeling  and  analyzing  safety  of  the  platoon 
join  maneuver  for  the  California  PATH  intelligent  highway  project,  using  Hybrid  I/O  Au¬ 
tomata.  Two  papers  have  been  written:  one,  written  with  Mike  Branicky,  presented  at  the 
Hybrid  Systems  workshop  in  Ithaca,  Oct.  ’96  and  currently  undergoing  revision  for  submis¬ 
sion  to  the  symposium  proceedings;  and  one  accepted  for  the  HART’97  workshop  in  Grenoble, 
France  in  Mar.  ’97. 

•  John  Lygeros,  who  joined  the  group  in  November,  has  begun  working  with  Lynch  and  Livadas 
on  ways  of  combining  techniques  from  control  theory  and  discrete  system  theory  to  reason 
about  hybrid  vehicle  control  systems. 

C.  Communication 


•  Smith  and  Lynch  worked  out  carefully  an  impossibility  result  for  the  “at-most-once  fast  de¬ 
livery  problem”.  This  problem  is  the  one  that  the  TCP/IP  transport  level  protocol  T/TCP 
is  designed  to  solve.  The  impossibility  result  says  that  if  the  client  and  server  do  not  have 
accurate  clocks,  then  no  protocol  can  solve  this  problem.  In  addition  to  the  proof  of  impossi¬ 
bility,  this  work  presents  an  interesting  formal  model  for  systems  with  local  clocks  that  must 
have  liveness  requirements.  This  model  is  based  on  the  general  model  for  timed  systems  with 
liveness  requirements  of  Segala,  Gawlick,  Sogaard- Andersen  and  Lynch,  described  in  item  13 
above. 

•  Fekete,  Lynch,  and  Shvartsman  have  produced  formal  specifications  for  several  multicast  com¬ 
munication  service,  including  a  virtually  synchronous  group  communication  (VSGC)  service 
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similar  to  the  ones  used  in  systems  like  Isis,  Horus,  Transis,  Totem,  etc.  These  specifications 
include  performance  and  fault-tolerance  properties  as  well  as  “ordinary”  correctness  proper¬ 
ties.  An  algorithm  using  VSGC  to  implement  a  totally  ordered  broadcast  service  has  been 
developed,  verified  and  analyzed.  This  is  discussed  in  more  detail  in  item  III.A3  above. 

D.  Probabilistic  Systems 


•  Segala  and  Lynch  worked  intensively  on  trying  to  finish  the  work  of  Pogosyants  and  Segala 
on  modelling,  verifying  and  analyzing  the  Aspnes-Herlihy  randomized  consensus  protocol. 
(Pogosyants  died  in  a  car  crash  in  Dec.  95,  and  this  was  her  thesis  project  at  the  time.) 
Besides  a  proof  of  this  particular  algorithm,  many  useful  techniques  for  analyzing  random¬ 
ized  distributed  systems  have  been  produced  in  the  course  of  this  work.  The  full  paper  is 
substantially  done  -  it  needs  only  minor  cosmetic  changes.  Segala  and  Lynch  are  currently 
preparing  a  paper  based  on  this  for  submission  to  PODC97. 

Special  Programs  and  Major  Items  of  Equipment 

None. 

Changes  in  Key  Personnel 

1.  Prof.  Alan  Fekete  returned  to  Sydney  University  at  the  end  of  December. 

2.  Dr.  Vicente  Cholvi-Juan  returned  to  the  University  of  Jaume  I  in  Spain  at  the  end  of 
December. 

3.  New  graduate  students  Roger  Khazan,  Henrik  Jensen  and  Gunnar  Hoest  joined  the  group. 

4.  Dr.  John  Lygeros  joined  the  group  as  a  postdoc,  after  finishing  his  PhD  in  Prof.  Sastry’s 
group  at  Berkeley.  He  will  work  on  modelling  hybrid  systems,  in  particular,  transportation 
control  systems. 

Trips,  Talks  and  Conferences 

1.  Nancy  Lynch  spoke  on  “Correctness  of  Vehicle  Control  Systems:  A  Case  Study”,  at  the  17th 
IEEE  Real-Time  Systems  Symposium,  Washington,  D.  C.  in  December,  1996. 

2.  Steve  Garland  spoke  on  “Computer-Assisted  Verification  of  an  Algorithm  for  Concurrent 
Timestamps”  at  the  FORTE/PSTV’96  Conference,  Kaiserslautern,  Germany,  in  October. 
1996. 
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3.  Mark  Smith  spoke  on  ’’Formal  Verification  of  Communication  Protocols”  at  the  FORTE/PSTV’96 
Conference,  Kaiserslautern,  Germany,  in  October.  1996. 

4.  Alan  Fekete  spoke  on  ’’Reasoning  about  Transaction  Management”  at  Northeastern  Univer¬ 
sity,  in  October. 

5.  Alan  Fekete  spoke  on  ’’Distributed  Commit”  at  the  University  of  Massachusetts,  Boston,  in 
November. 

6.  Alan  Fekete  spoke  on  ’’Reasoning  about  System  Infrastructure”  at  Carnegie-Mellon  Univer¬ 
sity,  in  November. 

7.  Alan  Fekete  spoke  on  ’’Reasoning  about  System  Infrastructure”  at  Imperial  College  in  London, 
in  November,  1996. 

8.  Mandana  Vaziri  attended  the  autumn  school  on  verification:  “Combining  model  checking  and 
theorem  proving”,  in  Aahrus,  Denmark,  in  October-November,  1996. 


Areas  of  Concern 
None. 

Statement  of  Sufficiency 

The  contractually  prescribed  effort  appears  to  be  sufficient  to  achieve  the  objectives  of  this  contract. 

Degrees  awarded 

None. 

Related  Accomplishments 

During  this  reporting  period  the  following  papers  have  been  submitted  for  publication,  accepted 
for  publication,  or  published: 

[1]  Nancy  Lynch  and  Alex  Shvartsman.  Robust  emulation  of  shared  memory  using  dynamic 
quorum-acknowledged  broadcasts,  1996.  Submitted  for  publication. 

[2]  N.  Shavit  and  E.  Upfal  and  A.  Zemach.  A  steady  state  analysis  of  diffracting  trees.  Submitted 
for  journal  publication. 

[3]  Paris  C.  Kanellakis  and  Alex  A.  Shvartsman.  A  theory  of  fault-tolerant  parallel  computation. 
Kluwer  Academic  Publishers.  To  appear  in  February  1997. 
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[4]  Ekaterina  Dolginova  and  Nancy  Lynch.  Safety  verification  for  automated  platoon  maneu¬ 
vers:  A  case  study.  International  Workshop  on  Hybrid  and  Real-Time  Systems  ( HART’97 '), 
Grenoble,  France,  March  1997.  To  appear. 

[5]  Michael  S.  Branicky,  Ekaterina  Dolginova,  and  Nancy  Lynch.  A  toolbox  for  proving  and 
maintaining  hybrid  specifications.  Presented  at  HS’96:  Hybrid  Systems,  October  12-16,  1996, 
Cornell  University,  Ithacs,  NY.  To  be  published  in  proceedings. 

[6]  Tsvetomir  P.  Petrov,  Anna  Pogosyants,  Stephen  J.  Garland,  and  Nancy  A.  Lynch.  Computer- 
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